Before the Thanksgiving holiday, the Court issued its first “decision” in one of the 46 cases (so far) that make up its OT24 term. But just like last year, this year’s first decision was more of a decision not to decide: In Facebook, Inc. v. Amalgamated Bank (No. 23-980), the Court dismissed the case as improvidently granted in a one-sentence order with no concurrences or dissents. What gives?
Without any explanation from the Justices, all we can do is speculate. So here we go: Facebook arose from the Cambridge Analytica controversy some of you may remember from around 2018. For those who don’t recall, a British political consulting firm, Cambridge Analytica, used a flaw in a Facebook personality quiz to collect information about millions of Facebook users without the users’ knowledge or consent. It then used that information to build a large demographic database to inform its political consulting. Soon after the story broke, reports emerged that Facebook had been aware of Cambridge Analytica’s violation of Facebook’s policies and terms of service for months or years but had not done much (or at least enough) to prevent it from improperly accessing and storing users’ data. Facebook’s shares dropped precipitously, losing nearly 20% of their value in the week after the news was first published.
Facebook’s shareholders soon filed a class-action complaint against Facebook, alleging that it committed securities fraud by making various misstatements to the public about its efforts to protect users’ data. The shareholders focused particularly on Facebook’s 2016 Form 10-K. Its “risk disclosures” section warned generally that if developers failed to adhere to adequate data security practices, Facebook users’ data “may be improperly accessed, used, or disclosed.” The shareholders argued that statement was misleading because it neglected to mention that Facebook knew this very risk had just recently unfolded and implied it was only a hypothetical. A California District Court dismissed the case, but a divided Ninth Circuit panel reversed, concluding that the complaint adequately alleged the risk disclosure was misleading. In doing so, the Ninth Circuit relied on circuit precedent holding that a risk disclosure is materially misleading if it warns about a risk that “could” occur without also informing the public that the warned-of risk had actually materialized in the past.
Facebook turned to the Supreme Court, arguing that the case was appropriate for certiorari because the federal courts of appeal had reached at least three inconsistent tests for determining when a risk disclosure in a 10-K may be misleading and give rise to liability. The Supreme Court agreed to hear the case, but it limited the question presented to whether a risk disclosure is false or misleading if it does not disclose “that a risk has materialized in the past, even if that past event presents no known risk of ongoing or future business harm.”
Over the course of briefing and argument, though, it became less and less clear what exactly the Supreme Court was being asked to decide. In its merits brief, Facebook primarily pushed for the bright-line rule that a forward-looking risk disclosure doesn’t make any implied representations about what had occurred in the past, so a reasonable investor could never be misled by it. The shareholders countered that Facebook had never made this argument below and accused Facebook of going beyond what it had argued in its cert petition. On the merits, the shareholders—with the support of the U.S. Government as amicus—argued that risk disclosures can make implied representations about past events and that given the overall context, the Ninth Circuit was right to conclude that Facebook’s disclosure was misleading (at least at the pleading stage).
At oral argument a few weeks ago, it seemed clear that many of the Justices were skeptical of Facebook’s proposed rule. That included some of the conservative justices—particularly Justices Thomas—who wondered why a reasonable person would not interpret Facebook’s disclosure as implicitly representing that this sort of thing had not previously happened. And once a categorical approach to risk disclosures appeared unlikely to command a majority, it was hard to see a crisp legal dispute for the Court to resolve. Instead, the case looked more like a fact-dependent dispute turning on Facebook’s specific statements and the details of this specific data breach. Maybe the Ninth Circuit was wrong to call this one a strike, but video re-review of how lower courts called a pitch is not something the Supreme Court likes to spend too much of its time doing. So instead, it dismissed the case, returning it to the Ninth Circuit and then the District Court for further proceedings on the merits. Questions about when a risk disclosure is misleading thus await for day and another case.